Summer Finance, a DeFi yield-optimization protocol also known as Summer.fi, has been exploited for $6 million, according to onchain analysts.
Blockchain security firm Blockaid flagged the security breach early Monday morning, while other analysts followed up with further details.
Cyvers wrote in an X post that the attacker seemingly targeted a share accounting vulnerability through price manipulation, swapped the stolen $6 million to DAI stablecoins, and moved the funds to an attacker-controlled address.
Meanwhile, CertiK further explained that the attacker used a $65.4 million flash loan to attain a $70.9 million redemption by manipulating how Summer.fi's Lazy Summer Protocol accounted for assets in its vaults. The protocol is an automated yield-optimization system that uses AI keepers to dynamically allocate and rebalance user deposits across multiple high-yield lending platforms.
"Attacker was able to redeem $70.9M following a $64.8M deposit thanks to manipulation of FleetCommander's accounting of totalAssets() on a host of vaults, particularly Silo: Varlamore USDC Growth, which the attacker had accumulated beforehand and donated to the Ark in between," CertiK wrote. Fleet Commander is the smart contract managing the vaults, while the Ark is the contract that connects a vault to a lending protocol.









